{
	"id": "5c61862d-d541-4b16-be9a-7a9c114cc4c5",
	"created_at": "2026-04-06T00:09:28.268959Z",
	"updated_at": "2026-04-10T03:31:48.40393Z",
	"deleted_at": null,
	"sha1_hash": "7a815c8b8fee46c03ae82fd7af57c4bc273a516c",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48847,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 22:04:42 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool KRNRAT\r\n Tool: KRNRAT\r\nNames KRNRAT\r\nCategory Malware\r\nType Backdoor, Tunneling, Exfiltration\r\nDescription\r\n(Trend Micro) The other rootkit we found is called KRNRAT. It’s a full-featured backdoor\r\nwith various capabilities, including process manipulation, file hiding, shellcode execution,\r\ntraffic concealment, and C\u0026C communication. We named this rootkit KRNRAT because of its\r\ninternal name, just as written in its PDB string.\r\nInformation \u003chttps://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.html\u003e\r\nLast change to this tool card: 27 June 2025\r\nDownload this tool card in JSON format\r\nAll groups using tool KRNRAT\r\nChanged Name Country Observed\r\nAPT groups\r\n  Earth Kurma 2020  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=32e3be0f-b2cd-4591-bd73-e972f7f5d28d\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=32e3be0f-b2cd-4591-bd73-e972f7f5d28d\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=32e3be0f-b2cd-4591-bd73-e972f7f5d28d"
	],
	"report_names": [
		"listgroups.cgi?u=32e3be0f-b2cd-4591-bd73-e972f7f5d28d"
	],
	"threat_actors": [
		{
			"id": "222835b0-22fb-406e-8fd5-f36dae694212",
			"created_at": "2025-06-29T02:01:56.985922Z",
			"updated_at": "2026-04-10T02:00:04.666399Z",
			"deleted_at": null,
			"main_name": "Earth Kurma",
			"aliases": [],
			"source_name": "ETDA:Earth Kurma",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"DMLOADER",
				"DUNLOADER",
				"KRNRAT",
				"Moriya",
				"ODRIZ",
				"SIMPOBOXSPY",
				"TESDAT",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f161dc2b-a18e-43b9-9786-2285bc745a10",
			"created_at": "2025-05-29T02:00:03.214326Z",
			"updated_at": "2026-04-10T02:00:03.867482Z",
			"deleted_at": null,
			"main_name": "Earth Kurma",
			"aliases": [],
			"source_name": "MISPGALAXY:Earth Kurma",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434168,
	"ts_updated_at": 1775791908,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7a815c8b8fee46c03ae82fd7af57c4bc273a516c.pdf",
		"text": "https://archive.orkl.eu/7a815c8b8fee46c03ae82fd7af57c4bc273a516c.txt",
		"img": "https://archive.orkl.eu/7a815c8b8fee46c03ae82fd7af57c4bc273a516c.jpg"
	}
}